W3C home > Mailing lists > Public > public-webrtc@w3.org > June 2016

[webrtc-pc] STUN/TURN OAuth token auth parameter handover.

From: misi via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Jun 2016 15:36:28 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-162173225-1466782535-sysbot+gh@w3.org>
misi has just created a new issue for 
https://github.com/w3c/webrtc-pc:

== STUN/TURN OAuth token auth parameter handover. ==
I think there is a confusion between the current PeerConnection W3C 
API and RFC7635 
In STUN/TURN auth crendtials/parameters handover...

https://tools.ietf.org/html/rfc7635#appendix-B
```javascript
     HTTP/1.1 200 OK
        Content-Type: application/json
        Cache-Control: no-store

        {
          "access_token":
   "U2FsdGVkX18qJK/kkWmRcnfHglrVTJSpS6yU32kmHmOrfGyI3m1gQj1jRPsr0uBb
   HctuycAgsfRX7nJW2BdukGyKMXSiNGNnBzigkAofP6+Z3vkJ1Q5pWbfSRroOkWBn",
          "token_type":"pop",
          "expires_in":1800,
          "kid":"22BIjxU93h/IgwEb",
          "key":"v51N62OM65kyMvfTI08O"
          "alg":HMAC-SHA-256-128
        }
```
                            Figure 8: Response

Here below I have highlighted the three mandatory parameters that 
needed to pass to the ICE Agent
 * "access_token":
 * "kid":
 * "key":

So we need to pass these 3 value at least to ICE Agent in the browser 
through PeerConnection iceServers configuration interface.

So according RFC 7635
 * The key id (kid) (That is used like as username in Long Term 
Credential Auth),
and has two other "credential" information pieces, that are needed to 
auth on remote TURN server. 
  *  the Session Key(Message Integrity, HMAC key). (That is used like 
as password in Long Term Credential Auth)
  *  the Access Token (SelfContaing token, e.g. 
Authenticated-Encryption with Associated-Data(AEAD) encrypted token.) 
In figure 8 it is the key:

See: https://w3c.github.io/webrtc-pc/#idl-def-rtciceserver

So in WebIDL I could find only one DOMString for Credential.

dictionary RTCIceServer {
    required (DOMString or sequence<DOMString>) urls;
             DOMString                          username;
             DOMString                          credential;
             RTCIceCredentialType               credentialType = 
"password";
};

And furthermore this credential field normally in case of "password" 
auth (Long Term Credential)  contains the Session Key(Message 
Integrity, HMAC key).

I am wondering what is the right way to pass the access token, the 
third value? 
How to pass the 3 information in 2 fields username/credential?
I propose to add a third field for the access_token, or add 
clarification in W3C PeerConnection.

The actual W3C webrtc-pc saying that the access_token need to be 
passed as credential
https://w3c.github.io/webrtc-pc/#rtcicecredentialtype-enum
"The credential is an access token"

Any comment highly appreciated!

Please view or discuss this issue at 
https://github.com/w3c/webrtc-pc/issues/714 using your GitHub account
Received on Friday, 24 June 2016 15:36:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:48 UTC